[KYUUBI #5743][AUTHZ] Improve AccessControlException verification of …

…RangerSparkExtensionSuite

# 🔍 Description
## Issue References 🔗

This pull request fixes #5743.

## Describe Your Solution 🔧

Add and use new function AssertionUtils.interceptEndswith.

## Types of changes 🔖

- [ ] Bugfix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)

## Test Plan 🧪

#### Behavior Without This Pull Request ⚰️

#### Behavior With This Pull Request 🎉

#### Related Unit Tests
Exists test cases.

---

# Checklists
## 📝 Author Self Checklist

- [x] My code follows the [style guidelines](https://kyuubi.readthedocs.io/en/master/contributing/code/style.html) of this project
- [x] I have performed a self-review
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [x] My changes generate no new warnings
- [x] I have added tests that prove my fix is effective or that my feature works
- [x] New and existing unit tests pass locally with my changes
- [x] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html)

## 📝 Committer Pre-Merge Checklist

- [x] Pull request title is okay.
- [x] No license issues.
- [x] Milestone correctly set?
- [x] Test coverage is ok
- [x] Assignees are selected.
- [x] Minimum number of approvals
- [x] No changes are requested

**Be nice. Be informative.**

Closes #5744 from zml1206/KYUUBI-5743.

Closes #5743

fe58cc2 [zml1206] fix
a3560b0 [zml1206] Improve AccessControlException verification of RangerSparkExtensionSuite

Authored-by: zml1206 <[email protected]>
Signed-off-by: Kent Yao <[email protected]>

extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/HudiCatalogRangerSparkExtensionSuite.scala

@@ -25,7 +25,7 @@ import org.apache.kyuubi.plugin.spark.authz.RangerTestNamespace._
 import org.apache.kyuubi.plugin.spark.authz.RangerTestUsers._
 import org.apache.kyuubi.plugin.spark.authz.util.AuthZUtils._
 import org.apache.kyuubi.tags.HudiTest
-import org.apache.kyuubi.util.AssertionUtils.interceptContains
+import org.apache.kyuubi.util.AssertionUtils.interceptEndsWith
 
 /**
  * Tests for RangerSparkExtensionSuite on Hudi SQL.
@@ -101,32 +101,32 @@ class HudiCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
              |""".stripMargin))
 
       // AlterHoodieTableAddColumnsCommand
-      interceptContains[AccessControlException](
+      interceptEndsWith[AccessControlException](
         doAs(someone, sql(s"ALTER TABLE $namespace1.$table1 ADD COLUMNS(age int)")))(
         s"does not have [alter] privilege on [$namespace1/$table1/age]")
 
       // AlterHoodieTableChangeColumnCommand
-      interceptContains[AccessControlException](
+      interceptEndsWith[AccessControlException](
         doAs(someone, sql(s"ALTER TABLE $namespace1.$table1 CHANGE COLUMN id id bigint")))(
         s"does not have [alter] privilege" +
           s" on [$namespace1/$table1/id]")
 
       // AlterHoodieTableDropPartitionCommand
-      interceptContains[AccessControlException](
+      interceptEndsWith[AccessControlException](
         doAs(someone, sql(s"ALTER TABLE $namespace1.$table1 DROP PARTITION (city='test')")))(
         s"does not have [alter] privilege" +
           s" on [$namespace1/$table1/city]")
 
       // AlterHoodieTableRenameCommand
-      interceptContains[AccessControlException](
+      interceptEndsWith[AccessControlException](
         doAs(someone, sql(s"ALTER TABLE $namespace1.$table1 RENAME TO $namespace1.$table2")))(
         s"does not have [alter] privilege" +
           s" on [$namespace1/$table1]")
 
       // AlterTableCommand && Spark31AlterTableCommand
       try {
         sql("set hoodie.schema.on.read.enable=true")
-        interceptContains[AccessControlException](
+        interceptEndsWith[AccessControlException](
           doAs(someone, sql(s"ALTER TABLE $namespace1.$table1 ADD COLUMNS(age int)")))(
           s"does not have [alter] privilege on [$namespace1/$table1]")
       } finally {
@@ -138,7 +138,7 @@ class HudiCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
   test("CreateHoodieTableCommand") {
     withCleanTmpResources(Seq((namespace1, "database"))) {
       doAs(admin, sql(s"CREATE DATABASE IF NOT EXISTS $namespace1"))
-      interceptContains[AccessControlException](
+      interceptEndsWith[AccessControlException](
         doAs(
           someone,
           sql(
@@ -171,7 +171,7 @@ class HudiCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
              |)
              |PARTITIONED BY(city)
              |""".stripMargin))
-      interceptContains[AccessControlException](
+      interceptEndsWith[AccessControlException](
         doAs(
           someone,
           sql(
@@ -210,7 +210,7 @@ class HudiCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
            |LIKE  $namespace1.$table1
            |USING HUDI
            |""".stripMargin
-      interceptContains[AccessControlException] {
+      interceptEndsWith[AccessControlException] {
         doAs(
           someone,
           sql(
@@ -238,7 +238,7 @@ class HudiCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
              |""".stripMargin))
 
       val dropTableSql = s"DROP TABLE IF EXISTS $namespace1.$table1"
-      interceptContains[AccessControlException] {
+      interceptEndsWith[AccessControlException] {
         doAs(someone, sql(dropTableSql))
       }(s"does not have [drop] privilege on [$namespace1/$table1]")
       doAs(admin, sql(dropTableSql))
@@ -263,7 +263,7 @@ class HudiCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
              |""".stripMargin))
 
       val repairTableSql = s"MSCK REPAIR TABLE $namespace1.$table1"
-      interceptContains[AccessControlException] {
+      interceptEndsWith[AccessControlException] {
         doAs(someone, sql(repairTableSql))
       }(s"does not have [alter] privilege on [$namespace1/$table1]")
       doAs(admin, sql(repairTableSql))
@@ -288,7 +288,7 @@ class HudiCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
              |""".stripMargin))
 
       val truncateTableSql = s"TRUNCATE TABLE $namespace1.$table1"
-      interceptContains[AccessControlException] {
+      interceptEndsWith[AccessControlException] {
         doAs(someone, sql(truncateTableSql))
       }(s"does not have [update] privilege on [$namespace1/$table1]")
       doAs(admin, sql(truncateTableSql))
@@ -313,13 +313,13 @@ class HudiCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
              |""".stripMargin))
 
       val compactionTable = s"RUN COMPACTION ON $namespace1.$table1"
-      interceptContains[AccessControlException] {
+      interceptEndsWith[AccessControlException] {
         doAs(someone, sql(compactionTable))
       }(s"does not have [create] privilege on [$namespace1/$table1]")
       doAs(admin, sql(compactionTable))
 
       val showCompactionTable = s"SHOW COMPACTION ON  $namespace1.$table1"
-      interceptContains[AccessControlException] {
+      interceptEndsWith[AccessControlException] {
         doAs(someone, sql(showCompactionTable))
       }(s"does not have [select] privilege on [$namespace1/$table1]")
       doAs(admin, sql(showCompactionTable))
@@ -331,34 +331,34 @@ class HudiCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
       withCleanTmpResources(Seq.empty) {
         val path1 = "hdfs://demo/test/hudi/path"
         val compactOnPath = s"RUN COMPACTION ON '$path1'"
-        interceptContains[AccessControlException](
+        interceptEndsWith[AccessControlException](
           doAs(someone, sql(compactOnPath)))(
           s"does not have [write] privilege on [[$path1, $path1/]]")
 
         val showCompactOnPath = s"SHOW COMPACTION ON '$path1'"
-        interceptContains[AccessControlException](
+        interceptEndsWith[AccessControlException](
           doAs(someone, sql(showCompactOnPath)))(
           s"does not have [read] privilege on [[$path1, $path1/]]")
 
         val path2 = "file:///demo/test/hudi/path"
         val compactOnPath2 = s"RUN COMPACTION ON '$path2'"
-        interceptContains[AccessControlException](
+        interceptEndsWith[AccessControlException](
           doAs(someone, sql(compactOnPath2)))(
           s"does not have [write] privilege on [[$path2, $path2/]]")
 
         val showCompactOnPath2 = s"SHOW COMPACTION ON '$path2'"
-        interceptContains[AccessControlException](
+        interceptEndsWith[AccessControlException](
           doAs(someone, sql(showCompactOnPath2)))(
           s"does not have [read] privilege on [[$path2, $path2/]]")
 
         val path3 = "hdfs://demo/test/hudi/path"
         val compactOnPath3 = s"RUN COMPACTION ON '$path3'"
-        interceptContains[AccessControlException](
+        interceptEndsWith[AccessControlException](
           doAs(someone, sql(compactOnPath3)))(
           s"does not have [write] privilege on [[$path3, $path3/]]")
 
         val showCompactOnPath3 = s"SHOW COMPACTION ON '$path3/'"
-        interceptContains[AccessControlException](
+        interceptEndsWith[AccessControlException](
           doAs(someone, sql(showCompactOnPath3)))(
           s"does not have [read] privilege on [[$path3, $path3/]]")
       }
@@ -402,7 +402,7 @@ class HudiCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
              |FROM $namespace1.$table2
              |WHERE city = 'hangzhou'
              |""".stripMargin
-        interceptContains[AccessControlException] {
+        interceptEndsWith[AccessControlException] {
           doAs(someone, sql(insertIntoHoodieTableSql))
         }(s"does not have [select] privilege on " +
           s"[$namespace1/$table2/id,$namespace1/$table2/name,hudi_ns/$table2/city], " +
@@ -433,14 +433,14 @@ class HudiCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
                |""".stripMargin))
 
         val showPartitionsSql = s"SHOW PARTITIONS $namespace1.$table1"
-        interceptContains[AccessControlException] {
+        interceptEndsWith[AccessControlException] {
           doAs(someone, sql(showPartitionsSql))
         }(s"does not have [select] privilege on [$namespace1/$table1]")
         doAs(admin, sql(showPartitionsSql))
 
         val showPartitionSpecSql =
           s"SHOW PARTITIONS $namespace1.$table1 PARTITION (city = 'hangzhou')"
-        interceptContains[AccessControlException] {
+        interceptEndsWith[AccessControlException] {
           doAs(someone, sql(showPartitionSpecSql))
         }(s"does not have [select] privilege on [$namespace1/$table1/city]")
         doAs(admin, sql(showPartitionSpecSql))
@@ -484,13 +484,13 @@ class HudiCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
                |""".stripMargin))
 
         val deleteFrom = s"DELETE FROM $namespace1.$table1 WHERE id = 10"
-        interceptContains[AccessControlException] {
+        interceptEndsWith[AccessControlException] {
           doAs(someone, sql(deleteFrom))
         }(s"does not have [update] privilege on [$namespace1/$table1]")
         doAs(admin, sql(deleteFrom))
 
         val updateSql = s"UPDATE $namespace1.$table1 SET name = 'test' WHERE id > 10"
-        interceptContains[AccessControlException] {
+        interceptEndsWith[AccessControlException] {
           doAs(someone, sql(updateSql))
         }(s"does not have [update] privilege on [$namespace1/$table1]")
         doAs(admin, sql(updateSql))
@@ -504,10 +504,11 @@ class HudiCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
              |AND target.name == 'test'
              | THEN UPDATE SET id = source.id, name = source.name, city = source.city
              |""".stripMargin
-        interceptContains[AccessControlException] {
+        interceptEndsWith[AccessControlException] {
           doAs(someone, sql(mergeIntoSQL))
         }(s"does not have [select] privilege on " +
-          s"[$namespace1/$table2/id,$namespace1/$table2/name,$namespace1/$table2/city]")
+          s"[$namespace1/$table2/id,$namespace1/$table2/name,$namespace1/$table2/city], " +
+          s"[update] privilege on [$namespace1/$table1]")
         doAs(admin, sql(mergeIntoSQL))
       }
     }
@@ -549,13 +550,14 @@ class HudiCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
 
         val copy_to_table =
           s"CALL copy_to_table(table => '$namespace1.$table1', new_table => '$namespace1.$table2')"
-        interceptContains[AccessControlException] {
+        interceptEndsWith[AccessControlException] {
           doAs(someone, sql(copy_to_table))
-        }(s"does not have [select] privilege on [$namespace1/$table1]")
+        }(s"does not have [select] privilege on [$namespace1/$table1], " +
+          s"[update] privilege on [$namespace1/$table2]")
         doAs(admin, sql(copy_to_table))
 
         val show_table_properties = s"CALL show_table_properties(table => '$namespace1.$table1')"
-        interceptContains[AccessControlException] {
+        interceptEndsWith[AccessControlException] {
           doAs(someone, sql(show_table_properties))
         }(s"does not have [select] privilege on [$namespace1/$table1]")
         doAs(admin, sql(show_table_properties))
@@ -585,31 +587,31 @@ class HudiCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
 
       // CreateIndexCommand
       val createIndex = s"CREATE INDEX $index1 ON $namespace1.$table1 USING LUCENE (id)"
-      interceptContains[AccessControlException](
+      interceptEndsWith[AccessControlException](
         doAs(
           someone,
           sql(createIndex)))(s"does not have [index] privilege on [$namespace1/$table1]")
       doAs(admin, sql(createIndex))
 
       // RefreshIndexCommand
       val refreshIndex = s"REFRESH INDEX $index1 ON $namespace1.$table1"
-      interceptContains[AccessControlException](
+      interceptEndsWith[AccessControlException](
         doAs(
           someone,
           sql(refreshIndex)))(s"does not have [alter] privilege on [$namespace1/$table1]")
       doAs(admin, sql(refreshIndex))
 
       // ShowIndexesCommand
       val showIndex = s"SHOW INDEXES FROM TABLE $namespace1.$table1"
-      interceptContains[AccessControlException](
+      interceptEndsWith[AccessControlException](
         doAs(
           someone,
           sql(showIndex)))(s"does not have [select] privilege on [$namespace1/$table1]")
       doAs(admin, sql(showIndex))
 
       // DropIndexCommand
       val dropIndex = s"DROP INDEX $index1 ON $namespace1.$table1"
-      interceptContains[AccessControlException](
+      interceptEndsWith[AccessControlException](
         doAs(
           someone,
           sql(dropIndex)))(s"does not have [drop] privilege on [$namespace1/$table1]")

extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/IcebergCatalogRangerSparkExtensionSuite.scala

@@ -111,7 +111,7 @@ class IcebergCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite
       s" on [$namespace1/$table1/id]"))
 
     withSingleCallEnabled {
-      interceptContains[AccessControlException](doAs(someone, sql(mergeIntoSql)))(
+      interceptEndsWith[AccessControlException](doAs(someone, sql(mergeIntoSql)))(
         if (isSparkV35OrGreater) {
           s"does not have [select] privilege on [$namespace1/table1/id" +
             s",$namespace1/$table1/name,$namespace1/$table1/city]"
@@ -121,7 +121,7 @@ class IcebergCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite
             s" [update] privilege on [$bobNamespace/$bobSelectTable]"
         })
 
-      interceptContains[AccessControlException] {
+      interceptEndsWith[AccessControlException] {
         doAs(bob, sql(mergeIntoSql))
       }(s"does not have [update] privilege on [$bobNamespace/$bobSelectTable]")
     }
@@ -131,7 +131,7 @@ class IcebergCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite
 
   test("[KYUUBI #3515] UPDATE TABLE") {
     // UpdateTable
-    interceptContains[AccessControlException] {
+    interceptEndsWith[AccessControlException] {
       doAs(someone, sql(s"UPDATE $catalogV2.$namespace1.$table1 SET city='Guangzhou'  WHERE id=1"))
     }(if (isSparkV35OrGreater) {
       s"does not have [select] privilege on [$namespace1/$table1/id]"
@@ -147,15 +147,15 @@ class IcebergCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite
 
   test("[KYUUBI #3515] DELETE FROM TABLE") {
     // DeleteFromTable
-    interceptContains[AccessControlException] {
+    interceptEndsWith[AccessControlException] {
       doAs(someone, sql(s"DELETE FROM $catalogV2.$namespace1.$table1 WHERE id=2"))
     }(if (isSparkV34OrGreater) {
       s"does not have [select] privilege on [$namespace1/$table1/id]"
     } else {
       s"does not have [update] privilege on [$namespace1/$table1]"
     })
 
-    interceptContains[AccessControlException] {
+    interceptEndsWith[AccessControlException] {
       doAs(bob, sql(s"DELETE FROM $catalogV2.$bobNamespace.$bobSelectTable WHERE id=2"))
     }(s"does not have [update] privilege on [$bobNamespace/$bobSelectTable]")
 
@@ -264,9 +264,9 @@ class IcebergCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite
             .foreach(i => sql(s"INSERT INTO $table VALUES ($i, 'user_$i')"))
         })
 
-      interceptContains[AccessControlException](doAs(someone, sql(rewriteDataFiles1)))(
+      interceptEndsWith[AccessControlException](doAs(someone, sql(rewriteDataFiles1)))(
         s"does not have [alter] privilege on [$namespace1/$tableName]")
-      interceptContains[AccessControlException](doAs(someone, sql(rewriteDataFiles2)))(
+      interceptEndsWith[AccessControlException](doAs(someone, sql(rewriteDataFiles2)))(
         s"does not have [alter] privilege on [$namespace1/$tableName]")
 
       /**
@@ -326,7 +326,7 @@ class IcebergCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite
       val callRollbackToSnapshot =
         s"CALL $catalogV2.system.rollback_to_snapshot (table => '$table', snapshot_id => $targetSnapshotId)"
 
-      interceptContains[AccessControlException](doAs(someone, sql(callRollbackToSnapshot)))(
+      interceptEndsWith[AccessControlException](doAs(someone, sql(callRollbackToSnapshot)))(
         s"does not have [alter] privilege on [$namespace1/$tableName]")
       doAs(admin, sql(callRollbackToSnapshot))
     }
@@ -344,7 +344,7 @@ class IcebergCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite
         s"CALL $catalogV2.system.rollback_to_timestamp (table => '$table', timestamp => TIMESTAMP '$targetTimestamp')"
       }
 
-      interceptContains[AccessControlException](doAs(someone, sql(callRollbackToTimestamp)))(
+      interceptEndsWith[AccessControlException](doAs(someone, sql(callRollbackToTimestamp)))(
         s"does not have [alter] privilege on [$namespace1/$tableName]")
       doAs(admin, sql(callRollbackToTimestamp))
     }
@@ -359,7 +359,7 @@ class IcebergCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite
       val callSetCurrentSnapshot =
         s"CALL $catalogV2.system.set_current_snapshot (table => '$table', snapshot_id => $targetSnapshotId)"
 
-      interceptContains[AccessControlException](doAs(someone, sql(callSetCurrentSnapshot)))(
+      interceptEndsWith[AccessControlException](doAs(someone, sql(callSetCurrentSnapshot)))(
         s"does not have [alter] privilege on [$namespace1/$tableName]")
       doAs(admin, sql(callSetCurrentSnapshot))
     }

extensions/spark/kyuubi-spark-authz/src/test/scala/org/apache/kyuubi/plugin/spark/authz/ranger/PaimonCatalogRangerSparkExtensionSuite.scala

@@ -76,7 +76,7 @@ class PaimonCatalogRangerSparkExtensionSuite extends RangerSparkExtensionSuite {
            |)
            |""".stripMargin
 
-      interceptContains[AccessControlException] {
+      interceptEndsWith[AccessControlException] {
         doAs(someone, sql(createTable))
       }(s"does not have [create] privilege on [$namespace1/$table1]")
       doAs(admin, createTable)